Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiativeshttp://www.sans.org/network-security-2010/

The Irish Data Protection Commissioner has published a draft security breach code of practice that, if adopted, would require any data breach involving information belonging to more than 100 people be reported to the Data Protection Commissioner. Organizations would be exempt from the requirement if they demonstrate that the compromised data are protected by strong security measures or if the breach affects non-sensitive information or small amounts of personal information. The Office of the Data Protection Commissioner is accepting public comment on the draft code through June 18, 2010. -http://www.scmagazineuk.com/irish-data-protection-commissioner-introduces-draft-code-of-practice-on-breach-notification/article/172079/-http://www.dataprotection.ie/viewdoc.asp?DocID=1077&m=f[Editor's Note (Pescatre): A lot of loopholes in this one, but Europe adding disclosure requirements would be a good thing. (Honan): As someone who has advocated that Ireland should have data breach laws, I am happy to see the proposed code and encourage those of you in Ireland to read the proposal and submit your comments. Hopefully this code will also serve as an example for other European countries to follow suit. ]

Companies Including Cyber Risks in SEC Filings (June 8, 2010)

In the wake of Google's acknowledgment that hackers managed to gain access to its internal computer systems, companies have begun noting in US Securities and Exchange Commission (SEC) filings that similar attacks could compromise the security and integrity of intellectual property. The notes have been made in mandatory SEC filings that require companies to disclose risks that could have a negative impact on their bottom line. Google noted that "because the techniques used [by hackers ] ... change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures." -http://www.businessweek.com/idg/2010-06-08/after-google-hack-warnings-pop-up-in-sec-filings.html[Editor's Note (Schultz): Honestly, the problem Google needs to address is not the changing nature of attacks, but rather security 101. (Paller): I must disagree with Gene. Google's words are accurate, and Security 101 isn't enough. The attack earlier this year taught Google that highly-touted security tools were completely incapable of stopping the attack. In the aftermath, Google moved rapidly to recruit a cadre of people with very advanced technical skills - people the Air force calls "hunters." Hunters are the most valuable people in security - the central ingredient in defending against the advanced persistent threat that compromised Google and is compromising government and industry computers, as you read this. ]**************************** Sponsored Link: *************************** 1) REGISTER NOW for the upcoming Industry Analysts Program Webcast - A Guide to Virtual Hardening Guides Sponsored By: VMWare Featuring: Dave Shackleford & Charu Chaubal

Cyber thieves have targeted the New York City Department of Education, electronically draining one of the department's bank accounts of more than US $644,000. The account, which was designated for petty cash spending, was limited to US $500 purchases, but an oversight allowed transfers of any amount. The thieves made transfers for more than three years before the scheme was detected. Officials didn't discover the problem because they neglected to reconcile their accounts regularly. Albert Attoh was sentenced to one year in prison and ordered to pay US $270,000 in restitution for his role in the thefts. In exchange for payments, Attoh gave bank routing and account data to other people who used it to pay student loans and make purchases. -http://www.theregister.co.uk/2010/06/07/electronic_account_raided/

Bank of America (BofA) call center employee Brian Matty Hagen has pleaded guilty to bank fraud. Hagen admitted he stole customer information and tried to sell it. Hagen's scheme was uncovered when he attempted to make a data sale to an undercover FBI agent. Hagen targeted only BofA accounts with balances in excess of US $100,000. Hagen was keeping track of customers' information and hoped to exchange it for 25 percent of the profits. The information was allegedly going to be used to establish credit lines at other financial institutions. -http://www.theregister.co.uk/2010/06/08/bank_insider_data_theft/-http://www.businessweek.com/idg/2010-06-07/bofa-call-center-worker-pleads-guilty-to-data-theft.html********************************************************************** The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/